Rawhide update gone awry

Daniel J Walsh dwalsh at redhat.com
Tue Apr 26 19:18:42 UTC 2005


Steve Brueckner wrote:

>I appear to have borked my SELinux installation.  I wanted to experiment
>with the new name_connect permission, which I read was available with the
>latest rawhide kernel and selinux policy.  So, in my first-ever attempt to
>use rawhide, I enabled my /etc/yum.repos.d/fedora-devel.repo file and then
>yum updated to the following:
>  
>
No you probably just picked the wrong day to update to rawhide. 
I have an updated policy on ftp://people.redhat.com/dwalsh/SELinux/Fedora.
It will fix some of the problems.

But you might want to do a complete yum update to get the latest stuff 
(FC4/Test2 plus updates).

Dan

>kernel.i686                              2.6.11-1.1267_FC4      installed
>selinux-policy-targeted.noarch           1.23.12-4              installed
>selinux-policy-targeted-sources.noarch   1.23.12-4              installed
>selinux-policy-strict.noarch             1.23.12-4              installed
>selinux-policy-strict-sources.noarch     1.23.12-4              installed
>libselinux.i386                          1.23.7-3               installed
>libselinux-devel.i386                    1.23.7-3               installed
>libselinux-debuginfo.i386                1.23.7-3               installed
>libsepol.i386                            1.5.5-2                installed
>policycoreutils.i386                     1.23.6-1               installed
>checkpolicy.i386                         1.23.1-1               installed
>setools.i386                             2.1.0-2                installed
>selinux-doc.noarch                       1.19.5-1               installed
>
>I then did a touch /.autorelabel; reboot, then after rebooting a make
>reload.  I'm using the targeted policy in permissive mode (things freeze up
>when I setenforce 1).  Policy version is 19.
>
>I get a lot of avc denied messages on boot; enough to make me think I did
>something wrong with my policy update or kernel update.  Did I even go about
>this the right way?  Is there anything obviously wrong with the steps I
>took?  I'm running FC3, and I wasn't certain about updating to an FC4 kernel
>but yum seemed to think it was OK so I went for it.  I get the same errors
>when I revert to 2.6.11-1.14_FC3.
>
>Thanks for any ideas.  My boot log is included below, with anything
>non-SELinux related snipped out.
>
> - Steve Brueckner, ATC-NY
>
>
>
>$ dmesg
>Linux version 2.6.11-1.1267_FC4 (bhcompile at porky.build.redhat.com) (gcc
>version 4.0.0 20050423 (Red Hat 4.0.0-1)) #1 Mon Apr 25 19:22:44 EDT 2005
>...
>Security Framework v1.0.0 initialized
>SELinux:  Initializing.
>SELinux:  Starting in permissive mode
>selinux_register_security:  Registering secondary module capability
>Capability LSM initialized as secondary
>...
>audit: initializing netlink socket (disabled)
>audit(1114514592.659:0): initialized
>...
>SELinux:  Registering netfilter hooks
>...
>security:  3 users, 6 roles, 684 types, 75 bools
>security:  55 classes, 126760 rules
>SELinux:  Completing initialization.
>SELinux:  Setting up existing superblocks.
>SELinux: initialized (dev dm-0, type ext3), uses xattr
>SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
>SELinux: initialized (dev selinuxfs, type selinuxfs), uses genfs_contexts
>SELinux: initialized (dev mqueue, type mqueue), not configured for labeling
>SELinux: initialized (dev hugetlbfs, type hugetlbfs), not configured for
>labeling
>SELinux: initialized (dev devpts, type devpts), uses transition SIDs
>SELinux: initialized (dev eventpollfs, type eventpollfs), uses
>genfs_contexts
>SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
>SELinux: initialized (dev futexfs, type futexfs), uses genfs_contexts
>SELinux: initialized (dev pipefs, type pipefs), uses task SIDs
>SELinux: initialized (dev sockfs, type sockfs), uses task SIDs
>SELinux: initialized (dev proc, type proc), uses genfs_contexts
>SELinux: initialized (dev bdev, type bdev), uses genfs_contexts
>SELinux: initialized (dev rootfs, type rootfs), uses genfs_contexts
>SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts
>SELinux: initialized (dev usbfs, type usbfs), uses genfs_contexts
>audit(1114514601.951:0): avc:  denied  { use } for  path=/init dev=rootfs
>ino=8 scontext=system_u:system_r:syslogd_t
>tcontext=system_u:system_r:kernel_t tclass=fd
>...
>SELinux: initialized (dev ramfs, type ramfs), uses genfs_contexts
>...
>SELinux: initialized (dev hda1, type ext3), uses xattr
>SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
>Adding 2031608k swap on /dev/VolGroup00/LogVol01.  Priority:-1 extents:1
>SELinux: initialized (dev binfmt_misc, type binfmt_misc), uses
>genfs_contexts
>...
>audit(1114529038.066:0): avc:  denied  { read } for  name=config dev=dm-0
>ino=3837327 scontext=system_u:system_r:dhcpc_t
>tcontext=system_u:object_r:selinux_config_t tclass=file
>audit(1114529038.066:0): avc:  denied  { getattr } for
>path=/etc/selinux/config dev=dm-0 ino=3837327
>scontext=system_u:system_r:dhcpc_t
>tcontext=system_u:object_r:selinux_config_t tclass=file
>audit(1114529038.092:0): avc:  denied  { execute } for  name=restorecon
>dev=dm-0 ino=1802308 scontext=system_u:system_r:dhcpc_t
>tcontext=system_u:object_r:restorecon_exec_t tclass=file
>audit(1114529038.092:0): avc:  denied  { execute_no_trans } for
>path=/sbin/restorecon dev=dm-0 ino=1802308
>scontext=system_u:system_r:dhcpc_t
>tcontext=system_u:object_r:restorecon_exec_t tclass=file
>audit(1114529038.092:0): avc:  denied  { read } for  path=/sbin/restorecon
>dev=dm-0 ino=1802308 scontext=system_u:system_r:dhcpc_t
>tcontext=system_u:object_r:restorecon_exec_t tclass=file
>audit(1114529038.093:0): avc:  denied  { search } for  name=contexts
>dev=dm-0 ino=3834258 scontext=system_u:system_r:dhcpc_t
>tcontext=system_u:object_r:default_context_t tclass=dir
>audit(1114529038.093:0): avc:  denied  { search } for  name=files dev=dm-0
>ino=3834262 scontext=system_u:system_r:dhcpc_t
>tcontext=system_u:object_r:file_context_t tclass=dir
>audit(1114529038.093:0): avc:  denied  { read } for  name=file_contexts
>dev=dm-0 ino=3834260 scontext=system_u:system_r:dhcpc_t
>tcontext=system_u:object_r:file_context_t tclass=file
>audit(1114529038.093:0): avc:  denied  { getattr } for
>path=/etc/selinux/targeted/contexts/files/file_contexts dev=dm-0 ino=3834260
>scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:file_context_t
>tclass=file
>audit(1114529038.096:0): avc:  denied  { search } for  name=/ dev=selinuxfs
>ino=232 scontext=system_u:system_r:dhcpc_t
>tcontext=system_u:object_r:security_t tclass=dir
>audit(1114529038.096:0): avc:  denied  { read write } for  name=context
>dev=selinuxfs ino=5 scontext=system_u:system_r:dhcpc_t
>tcontext=system_u:object_r:security_t tclass=file
>audit(1114529038.096:0): avc:  denied  { check_context } for
>scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:security_t
>tclass=security
>audit(1114529038.479:0): avc:  denied  { use } for  path=/init dev=rootfs
>ino=8 scontext=system_u:system_r:named_t tcontext=system_u:system_r:kernel_t
>tclass=fdSELinux: initialized (dev rpc_pipefs, type rpc_pipefs), uses
>genfs_contexts
>audit(1114529040.947:0): avc:  denied  { use } for  path=/init dev=rootfs
>ino=8 scontext=system_u:system_r:howl_t tcontext=system_u:system_r:kernel_t
>tclass=fd
>audit(1114529043.069:0): avc:  denied  { use } for  path=/init dev=rootfs
>ino=8 scontext=system_u:system_r:cupsd_config_t
>tcontext=system_u:system_r:kernel_t tclass=fd
>...
>audit(1114529047.672:0): avc:  denied  { read } for  path=/init dev=rootfs
>ino=8 scontext=system_u:system_r:restorecon_t
>tcontext=system_u:object_r:root_t tclass=file
>audit(1114529050.126:0): avc:  denied  { use } for  path=/init dev=rootfs
>ino=8 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:kernel_t
>tclass=fdaudit(1114529052.770:0): avc:  denied  { write } for  name=etc
>dev=dm-0 ino=3833857 scontext=system_u:system_r:hald_t
>tcontext=system_u:object_r:etc_t tclass=dir
>audit(1114529052.770:0): avc:  denied  { add_name } for  name=.fstab.hal.S
>scontext=system_u:system_r:hald_t tcontext=system_u:object_r:etc_t
>tclass=dir
>audit(1114529052.770:0): avc:  denied  { create } for  name=.fstab.hal.S
>scontext=system_u:system_r:hald_t tcontext=system_u:object_r:etc_t
>tclass=file
>audit(1114529053.042:0): avc:  denied  { write } for  name=media dev=dm-0
>ino=8552449 scontext=system_u:system_r:hald_t
>tcontext=system_u:object_r:mnt_t tclass=dir
>audit(1114529053.042:0): avc:  denied  { remove_name } for  name=cdrecorder
>dev=dm-0 ino=8552450 scontext=system_u:system_r:hald_t
>tcontext=system_u:object_r:mnt_t tclass=dir
>audit(1114529053.042:0): avc:  denied  { rmdir } for  name=cdrecorder
>dev=dm-0 ino=8552450 scontext=system_u:system_r:hald_t
>tcontext=system_u:object_r:mnt_t tclass=dir
>audit(1114529053.157:0): avc:  denied  { write } for  path=/etc/.fstab.hal.S
>dev=dm-0 ino=3837358 scontext=system_u:system_r:hald_t
>tcontext=system_u:object_r:etc_t tclass=file
>audit(1114529053.157:0): avc:  denied  { remove_name } for
>name=.fstab.hal.S dev=dm-0 ino=3837358 scontext=system_u:system_r:hald_t
>tcontext=system_u:object_r:etc_t tclass=dir
>audit(1114529053.157:0): avc:  denied  { rename } for  name=.fstab.hal.S
>dev=dm-0 ino=3837358 scontext=system_u:system_r:hald_t
>tcontext=system_u:object_r:etc_t tclass=file
>audit(1114529053.157:0): avc:  denied  { unlink } for  name=fstab dev=dm-0
>ino=3834553 scontext=system_u:system_r:hald_t
>tcontext=system_u:object_r:etc_t tclass=file
>audit(1114529053.179:0): avc:  denied  { write } for  name=rhgb-socket
>dev=ramfs ino=4929 scontext=system_u:system_r:init_t
>tcontext=system_u:object_r:ramfs_t tclass=sock_file
>audit(1114529053.179:0): avc:  denied  { connectto } for
>path=/etc/rhgb/temp/rhgb-socket scontext=system_u:system_r:init_t
>tcontext=system_u:system_r:initrc_t tclass=unix_stream_socket
>audit(1114529053.577:0): avc:  denied  { getattr } for
>path=/dev/VolGroup00/LogVol00 dev=tmpfs ino=5807
>scontext=system_u:system_r:hald_t tcontext=system_u:object_r:device_t
>tclass=lnk_file
>audit(1114529053.653:0): avc:  denied  { add_name } for  name=cdrecorder
>scontext=system_u:system_r:hald_t tcontext=system_u:object_r:mnt_t
>tclass=dir
>audit(1114529053.654:0): avc:  denied  { create } for  name=cdrecorder
>scontext=system_u:system_r:hald_t tcontext=system_u:object_r:mnt_t
>tclass=dir
>audit(1114529053.674:0): avc:  denied  { getattr } for
>path=/dev/mapper/VolGroup00-LogVol00 dev=tmpfs ino=1128
>scontext=system_u:system_r:hald_t tcontext=system_u:object_r:device_t
>tclass=blk_file
>audit(1114529053.674:0): avc:  denied  { getattr } for  path=/dev/pts
>dev=devpts ino=1 scontext=system_u:system_r:hald_t
>tcontext=system_u:object_r:devpts_t tclass=dir
>...
>audit(1114529081.451:0): avc:  denied  { getattr } for  path=/dev/pts
>dev=devpts ino=1 scontext=system_u:system_r:hald_t
>tcontext=system_u:object_r:devpts_t tclass=dir
>
>--
>fedora-selinux-list mailing list
>fedora-selinux-list at redhat.com
>http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>  
>


-- 





More information about the fedora-selinux-list mailing list